rorixrorixdashboard →
// LEGAL · PRIVACY

Privacy Policy

Last updated: April 10, 2026.

We collect the minimum data we need to run a security scanner, and we do not train models on your code. This policy explains what we store, why, how long, and how you control it.

1. What we collect

Account data: name, work email, company, role, password hash. Optional: profile photo, timezone.

Project data: the repositories, SBOMs, lock files, and configs you scan. Scan results, advisory matches, remediation history.

Usage data: which pages you visit in the dashboard, which features you click, error reports. Aggregated and pseudonymised after 90 days.

Billing data: processed by Stripe. We never see full card numbers. Last four digits and billing address stored for receipts.

2. How we use it

Operate the service: run scans, show findings, deliver webhooks, send product email.

Improve the service: diagnose bugs, measure feature adoption, prioritize roadmap. No model training on your code.

Security: detect abuse, prevent account takeover, respond to incidents.

Billing: charge your plan, send receipts, collect tax where required.

3. Who we share with

Sub-processors: cloud infrastructure (AWS), email (Postmark), payments (Stripe), error tracking (Sentry, with PII stripping). Full list on request.

Legal: if compelled by a valid legal process. We challenge overbroad requests and notify you unless legally prohibited.

Aggregate stats: de-identified metrics for marketing (e.g. "top 10 most-scanned packages this month"). Never tied to accounts.

4. Retention

Active account data: kept while your account is active.

Scan results: kept while your account is active or as configured in your dashboard (default 180 days).

Backups: 35 days after deletion.

Billing records: 7 years as required by tax law.

5. Your rights

Access: export everything from dashboard settings.

Correction: edit profile in settings; for billing records email privacy@rorix.io.

Deletion: close the account; we purge within 35 days except where retention is legally required.

Portability: SBOMs export as CycloneDX or SPDX. Scan history exports as JSON.

Objection and restriction: contact privacy@rorix.io. EU/UK residents have additional rights under GDPR/UK GDPR.

6. Security

Encryption in transit (TLS 1.3) and at rest (AES-256). SSO via SAML or OIDC for Enterprise.

Scoped least-privilege access for employees. Audit logs retained for 12 months. See our SOC 2 Type II report under NDA.

If we discover a breach that affects you, we notify within 72 hours of confirmation.

7. International transfers

Primary hosting is in eu-north-1 (Stockholm). Backups replicate to eu-west-1 (Dublin). No US transfers by default.

Enterprise customers can opt into US regions for US data residency. Covered by SCCs where applicable.

8. Children

Rorix is not for anyone under 16. If we learn we have data on a child under 16, we delete it.

9. Contact

Privacy questions: privacy@rorix.io.

Data Protection Officer: dpo@rorix.io.

EU representative: available on request.

// QUESTIONS
Privacy questions: privacy@rorix.io. Data Protection Officer: dpo@rorix.io.